Cloud Custodian is a rules engine for managing public cloud accounts and
resources. It allows users to define policies to enable a well managed
cloud infrastructure, that’s both secure and cost optimized. It
consolidates many of the adhoc scripts organizations have into a
lightweight and flexible tool, with unified metrics and reporting.

Custodian can be used to manage AWS, Azure, and GCP environments by
ensuring real time compliance to security policies (like encryption and
access requirements), tag policies, and cost management via garbage
collection of unused resources and off-hours resource management.

Custodian policies are written in simple YAML configuration files that
enable users to specify policies on a resource type (EC2, ASG, Redshift,
CosmosDB, PubSub Topic) and are constructed from a vocabulary of filters
and actions.

It integrates with the cloud native serverless capabilities of each
provider to provide for real time enforcement of policies with builtin
provisioning. Or it can be run as a simple cron job on a server to
execute against large existing fleets.

The first step to using Cloud Custodian is writing a YAML file
containing the policies that you want to run. Each policy specifies
the resource type that the policy will run on, a set of filters which
control resources will be affected by this policy, actions which the policy
with take on the matched resources, and a mode which controls which
how the policy will execute.

The best getting started guides are the cloud provider specific tutorials.

As a quick walk through, below are some sample policies for AWS resources.

will enforce that no S3 buckets have cross-account access enabled.

will terminate any newly launched EC2 instance that do not have an encrypted EBS volume.

will tag any EC2 instance that does not have the follow tags
“Environment”, “AppId”, and either “OwnerContact” or “DeptID” to be stopped
in four days.

policies:-name:s3-cross-accountdescription:|Checks S3 for buckets with cross-account access andremoves the cross-account access.resource:aws.s3region:us-east-1filters:-type:cross-accountactions:-type:remove-statementsstatement_ids:matched-name:ec2-require-non-public-and-encrypted-volumesresource:aws.ec2description:|Provision a lambda and cloud watch event targetthat looks at all new instances and terminates those withunencrypted volumes.mode:type:cloudtrailrole:CloudCustodian-QuickStartevents:-RunInstancesfilters:-type:ebskey:Encryptedvalue:falseactions:-terminate-name:tag-complianceresource:aws.ec2description:|Schedule a resource that does not meet tag compliance policies to be stopped in four days. Note a separate policy using the`marked-for-op` filter is required to actually stop the instances after four days.filters:-State.Name:running-"tag:Environment":absent-"tag:AppId":absent-or:-"tag:OwnerContact":absent-"tag:DeptID":absentactions:-type:mark-for-opop:stopdays:4

You can validate, test, and run Cloud Custodian with the example policy with these commands:

# Validate the configuration (note this happens by default on run)
$ custodian validate policy.yml
# Dryrun on the policies (no actions executed) to see what resources# match each policy.
$ custodian run --dryrun -s out policy.yml
# Run the policy
$ custodian run -s out policy.yml

You can run Cloud Custodian via Docker as well:

# Download the image
$ docker pull cloudcustodian/c7n
$ mkdir output
# Run the policy## This will run the policy using only the environment variables for authentication
$ docker run -it \
-v $(pwd)/output:/home/custodian/output \
-v $(pwd)/policy.yml:/home/custodian/policy.yml \
--env-file <(env | grep "^AWS\|^AZURE\|^GOOGLE")\
cloudcustodian/c7n run -v -s /home/custodian/output /home/custodian/policy.yml
# Run the policy (using AWS's generated credentials from STS)## NOTE: We mount the ``.aws/credentials`` and ``.aws/config`` directories to# the docker container to support authentication to AWS using the same credentials# credentials that are available to the local user if authenticating with STS.# This exposes your container to additional credentials than may be necessary,# i.e. additional credentials may be available inside of the container than is# minimally necessary.
$ docker run -it \
-v $(pwd)/output:/home/custodian/output \
-v $(pwd)/policy.yml:/home/custodian/policy.yml \
-v $(cd ~ &&pwd)/.aws/credentials/home/custodian/:.aws/credentials \
-v $(cd ~ &&pwd)/.aws/config:/home/custodian/.aws/config \
--env-file <(env | grep "^AWS")\
cloudcustodian/c7n run -v -s /home/custodian/output /home/custodian/policy.yml

Custodian supports other useful subcommands and options, including
outputs to S3, CloudWatch metrics, STS role assumption. Policies go
together like Lego bricks with actions and filters.

Consult the documentation for additional information, or reach out on gitter.